pyOpenSSL 16.0.0 released

Hynek Schlawack hs at
Sat Mar 19 07:29:28 EDT 2016

On behalf of PyCA – the Python Cryptography Authority – I’m anxious to announce that after almost a year since the 0.15.1 release of pyOpenSSL we’ve released the brand new 16.0.0.

A few organizational notes:

1. The pyopenssl-users mailing list and #pyopenssl IRC channel are deprecated.  Please use cryptography-dev <> and #cryptography-dev on Freenode where you’re much more likely to get help.
2. The version scheme switched to CalVer because a 0.x version for a 15 years old project is rather odd and calling it 1.0 although we don’t expect a 2.0 to ever happen didn’t make any sense.  pyOpenSSL is a long-running project with strict backward-compatibility requirements and is hence better served with a calendar-based version scheme.
3. Please note that some of us will be doing a TLS/HTTPS workshop at PyCon US 2016 so if you always wanted to learn about these things first hand, make sure to sign up: <>.  We've opted to receive no compensation and asked the organizers to send them to PyLadies instead.  So you’ll be doing good while learning something!


Release details:

While the list of changes looks short, a lot internal work happened:

72 files changed, 15511 insertions(+), 15063 deletions(-)

We’ve done our best to not break any existing applications; including by making the urllib3 and Twisted test suites part of our CI.

The full changelog can be found at <>.

This is the first release under full stewardship of PyCA. We have made many changes to make local development more pleasing. The test suite now passes both on Linux and OS X with OpenSSL 0.9.8, 1.0.1, and 1.0.2. It has been moved to py.test, all CI test runs are part of tox and the source code has been made fully flake8 compliant.

We hope to have lowered the barrier for contributions significantly but are open to hear about any remaining frustrations.

Backward-incompatible changes:

• Python 3.2 support has been dropped. It never had significant real world usage and has been dropped by our main dependency cryptography. Affected users should upgrade to Python 3.3 or later.


• The support for EGD has been removed. The only affected function OpenSSL.rand.egd() now uses os.urandom() to seed the internal PRNG instead. Please see pyca/cryptography#1636 for more background information on this decision. In accordance with our backward compatibility policy OpenSSL.rand.egd() will be removed no sooner than a year from the release of 16.0.0.
Please note that you should use urandom for all your secure random number needs.
	• Python 2.6 support has been deprecated. Our main dependency cryptography deprecated 2.6 in version 0.9 (2015-05-14) with no time table for actually dropping it. pyOpenSSL will drop Python 2.6 support once cryptography does.


• Fixed OpenSSL.SSL.Context.set_session_id, OpenSSL.SSL.Connection.renegotiate, OpenSSL.SSL.Connection.renegotiate_pending, and OpenSSL.SSL.Context.load_client_ca. They were lacking an implementation since 0.14. #422
• Fixed segmentation fault when using keys larger than 4096-bit to sign data. #428
• Fixed AttributeError when OpenSSL.SSL.Connection.get_app_data() was called before setting any app data. #304
• Added OpenSSL.crypto.dump_publickey() to dump OpenSSL.crypto.PKey objects that represent public keys, and OpenSSL.crypto.load_publickey() to load such objects from serialized representations. #382
• Added OpenSSL.crypto.dump_crl() to dump a certificate revocation list out to a string buffer. #368
• Added OpenSSL.SSL.Connection.get_state_string() using the OpenSSL binding state_string_long. #358
• Added support for the socket.MSG_PEEK flag to OpenSSL.SSL.Connection.recv() and OpenSSL.SSL.Connection.recv_into(). #294
• Added OpenSSL.SSL.Connection.get_protocol_version() and OpenSSL.SSL.Connection.get_protocol_version_name(). #244
• Switched to utf8string mask by default. OpenSSL formerly defaulted to a T61String if there were UTF-8 characters present. This was changed to default to UTF8String in the config around 2005, but the actual code didn't change it until late last year. This will default us to the setting that actually works. To revert this you can call OpenSSL.crypto._lib.ASN1_STRING_set_default_mask_asc(b"default"). #234


For PyCA,
Hynek Schlawack
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Python-announce-list mailing list